PDF malware analysis — malicious · f358e1dcc379b1f0

MALICIOUS

PDF

95.3 KB Created: 2021-09-16 01:00:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 271b07b41961f4b941262ecc7fa890f8 SHA-1: 8637051516b3b1277bfa03b48a629b4ae26559a2 SHA-256: f358e1dcc379b1f0286684c70fc6e8fd3bf68611c7e703afcb68247a5a24b158

222 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document exhibits characteristics of an advance-fee scam, presenting lures related to lotteries or parcels and instructing the user to provide a password for an archive. The presence of embedded JavaScript, flagged by heuristics, suggests the potential for malicious actions such as downloading a second-stage payload from one of the numerous external URLs. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9969

Heuristics 9

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://huntic.ru/uplcv?utm_term=the+forever+purge+download
- https://www.pferde-fuer-unsere-kinder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1614022927ec4a---kuwifixuwaxepopoworek.pdf
- https://grdr.org/paidel/ckfinder/userfiles/files/gebotabubinitonexovut.pdf
- http://fusen-es.info/yamituki-n/uploads/files/valazawuladuza.pdf
- http://dichvu12h.net/userfiles/file/ruguzugawutesosilax.pdf
- http://prefinancovaniehypoteky.sk/res/file/kipejavuruwizefatizowaji.pdf
- http://greatwalledmond.com/ckfinder/userfiles/files/37481380934.pdf
- http://sibstroiexp.ru/userfiles/file/53330119990.pdf
- http://miryangpension.com/FileData/ckfinder/files/20210908_13C23A549579AA6F.pdf
- http://powercleanperu.com/cms_powerclean_2015/sgi_userfiles/userfiles/files/89331399422.pdf
- http://cps-mbstu.edu.bd/app/webroot/js/ckfinder/userfiles/files/sedazuwuloxime.pdf
- http://qdxqw.com/uploadfile/file/ruganebepilomavuwomewetig.pdf
- http://acrclubinversores.com/files/galeria/files/dovopinalisu.pdf
- http://upoart.com/ckfinder/userfiles/files/merofepakakenelobezalano.pdf
- http://fotografoenricogiampieri.it/userfiles/files/133264437.pdf
- https://living-stone.lu/userfiles/files/xafisajomokedu.pdf
- http://stavo-bazar.cz/userfiles/file/vosavekafetufivebezesaf.pdf
- http://creptiles.dk/userfiles/file/27237374292.pdf
- http://runbo.net/upfiles/files/16314346954692.pdf
- http://meuble-tunisie.com/userfiles/file/13669629008.pdf
- https://bloomlight.pl/_bloom/file/27193686891.pdf
- http://kraemer-duennebacke.de/files/file/divegaraxebitiwetavun.pdf
- http://aa-nusd.jp/wixavanojilo.pdf
- http://progettogeometra.it/userfiles/files/suwagitulenivolek.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000109cf.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x109CF	16792 bytes
`font_01_sfnt_off000121e6.bin` `770459f396fd9ac81860ae7f26a7739ebd23c3de3403f0615f40eee87454744b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x121E6	10632 bytes
`font_02_sfnt_off000139fe.bin` `76fa8bc931c3640f58d7f67ac06a36c097009b1940e565e5b00463b630547d40`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x139FE	20436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.